- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 26 Apr 2018 09:09:12 +0000
- To: public-webauthn@w3.org
Yes, that makes sense to me. @kpaulh's assertion about empirical results had me mostly convinced, but I was curious about what the introduction of platform credentials would mean for this. That said, the 2018-04-25 WG call decided to not take this on until L2. I'm not sure what that means for whether or not Chrome's behaviour as described here will be conformant with the L1 spec. --- >[...] today, there's no good way in WebAuthn for an RP to indicate that they "definitely only want to deal with platform authenticators" [...] this might be a bit of a drawback for RPs who really don't want to bother users with external devices [...] My thoughts on this: 1. There is _a_ way - maybe not a good one, but one that might be functional enough. 2. I don't see why that should be up to the RP to decide (aside from concerns about confusing users with instructions to insert external devices they don't have). 1: The RP can check `isUserVerifyingPlatformAuthenticatorAvailable()` and not offer to register a credential if no platform authenticator is available, and also set `authenticatorSelection.authenticatorAttachment` to `"platform"` in the `create()` call. The RP can then know that no user has any roaming credentials. 2: Alternatively, the RP can just do the `isUserVerifyingPlatformAuthenticatorAvailable()` and not set the authentication attachment parameter. In that case the majority of users would likely register the platform authenticator, and if some users go out of their way to register a roaming authenticator anyway then that's their choice and they're aware they're not doing the primarily supported thing - you could hardly call that "bothering users with external devices", right? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/863#issuecomment-384569498 using your GitHub account
Received on Thursday, 26 April 2018 09:09:18 UTC